Air Force Registration Authority Restructures the DAF LRA Program

  • Published
  • By Air Force Public Key Infrastructure System Program Office
The Department of the Air Force Public Key Infrastructure System Program Office (DAF PKI SPO) is implementing a strategic restructuring of the DAF Local Registration Authority (LRA) Program. Under this initiative, most Air Force installations will transition to an exclusively Trusted Agent (TA) model, supported by a centralized cadre of DAF Registration Authorities (RA). 

This modernized LRA structure reduces the number of active LRA sites from nearly 200 to roughly 30 for more effective and efficient management and oversight, while preserving full LRA capabilities at select locations, which include Air Force Major Commands (MAJCOM), Air Force-supported Combatant Commands (COCOM), Air National Guard (ANG), Air Force Reserve Command (AFRC), and other strategically identified locations.

This shift aligns with Department of Defense (DoD) PKI Program Management Office (PMO) audit requirements and is intended to streamline operations while ensuring continued compliance with DAFMAN 17-1304. 

Role and Benefits of Trusted Agents

Trusted Agents are essential to sustaining PKI certificate registration operations and significantly reducing the workload on LRAs. Leveraging TAs offers several key benefits: 
•    Expedited training, typically completed in one to two hours via PowerPoint or Computer-Based Training (CBT)
•    Unlimited scalability, with no cap on the number of TAs an installation may train or employ 
•    Seamless integration with existing LRA personnel and processes
•    Direct communication channels to DAF RAs for support
•    No requirement for dedicated workstations, enabling flexible deployment
•    Exemption from DoD Cyber Defense Command (DCDC) audit requirements
•    Ability to perform approximately 90% of LRA functions, with the exception of SIPRNet Token Certificate Request Initiation (CRI) and NEATS Registration Creation.

As part of the restructuring effort, installations are encouraged to fully leverage the TA structure and may designate and train an unlimited number of TAs to meet their PKI certificate needs. The DAF RA office will continue to create SIPRNet CRIs and oversee all registrations within the Automated Token Issuance Management System (ATIMS).

Timeline

To support this restructuring, efforts to expand the DAF RA workforce are already in progress. Alongside the existing RA team at Joint Base San Antonio (JBSA), a second full-time RA team is being established at Gunter Annex, AL, to provide comprehensive support to TAs across the enterprise from 0700-1600 CST. The Gunter Team is scheduled to be fully operational not later than 1 March 2026. 

Beginning 15 March 2026, DAF RAs will initiate the phased transition of LRA functions to TAs, including associated provisioning activities. This transition period is expected to span several months. 

DCDC Guidance Memo 

In accordance with the National Security System (NSS) PKI Registration Practices Statement (RPS) and DoD PKI RA/LRA Certificate Practice Statement (CPS), all LRA sites are required to undergo DCDC audits to verify compliance with established standards. Historically, these audits have identified a high volume of critical findings across DAF LRA sites. Such performance gaps and non-compliant Information Technology (IT) practices introduce significant cybersecurity risks and insider threat vulnerabilities.  

Consequently, DCDC issued a guidance memo outlining changes to the LRA audit framework and potential updates to the NSS PKI RPS and DoD PKI RA/LRA CPS. The memo directs Service Cyber Components (SCC) to establish an independent, objective, and impartial inspection workforce capable of conducting synchronized PKI audits within their Department of Defense Information Network (DoDIN) Areas of Operations (DAO). SCCs will coordinate with DCDC Defense Readiness and Security Inspectorate (DRSI) to secure required PKI auditor training, certification, and accreditation for at least one service PKI audit team by May 2026.

Under this updated audit structure, two auditors are required to support 30 designated sites. The DAF RA office is on track to field two fully trained auditors not later than 15 April 2026. 

Additional requirements of the DCDC Guidance Memo include:
 
  • Each SCC will expand capacity to plan, coordinate, and execute all service-related PKI audits traditionally executed by DCDC DRSI. The minimum goal of Service PKI Audit execution is 60 percent of service sites in fiscal year 2026 (FY26), with overall goal of 100 percent Service PKI audit coverage within a 2-year period.
  • DCDC Joint Directive (JD) certifies all PKI auditor teams to conduct PKI audits in accordance with DoD, federal, and DCDC published inspection standards and audit schedules.
  • DCDC JD-certified PKI audit teams will conduct PKI audits on behalf of DCDC within their DAO. 
  • DCDC will provide program oversight, training, and certification on behalf of DoD PKI PMO.
  • SIPRNet operations are required to be audited annually.
  • NIPRNet operations are required to be audited every three years; however, NIPRNet operations could be audited annually if a site is found non-compliant or if major changes occur to the RPS/CPS.

Note that DCDC Policy Management Authority (PMA) can shut down any RA/LRA operation found non-compliant, and/or may revoke certificates that were issued based on registration at the RA/LRA facility.